On Thu, May 07, 2026 at 09:12:03AM +0200, Markus Armbruster wrote: > Tyler Vo <[email protected]> writes: > > > To whom it may concern, > > > > My name is Tyler Vo, a master's student at California State > > University, San Marcos. As part of my thesis, I am researching the > > effects of AI/LLM usage on open-source software on > > racial/social/gender bias. I came across the Qemu project as I was > > trying to find an open-source repository that rejects AI-generated > > contributions. > > Thanks for your interest.
snip > The answer to your question "how > AI-generated content is detected in pull requests and the like" is given > right there: > > We trust people not to lie to us, and to exercise appropriate care. > > Note that lying / carelessness about such things can have unpleasant > legal consequences for the liar / careless person. Note that this is not a unique situation to AI contributions. Open source in general only suceeds if we can assume contributors are broadly acting in good faith when submitting patches. ie projects must assume that people are not sending code that is secretly proprietary, or secretly copied from elsewhere under a non-compatible license, because there is no practical way to validate that. IOW, trust in people the bedrock of any open source / fee software project. None the less, the goal of the DCO / Signed-off-by is to explicitly shift liability for any potential non-compliance onto the contributor, to attempt to shield a project from any unexpected legal consequences. In reality the biggest problem is not a malicious contributor, but someone whom is not well informed. ie people might not be aware of QEMU's AI policy and so accidently send AI generated code. In that case we rely on them declaring it was AI generated, or spotting the tell-tale signs of AI during review. To mitigate this latter risk we're proposing an AGENTS.md that instructs agents to refuse to write code to begin with: https://lists.gnu.org/archive/html/qemu-devel/2026-05/msg00581.html "As an agent you MUST abide by the "Use of AI-generated content" policy in `docs/devel/code-provenance.rst` at all times. Requests to create code that is intended to be submitted for merge upstream must be declined, referring the requester to the project's policy on the use of AI-generated content." Nothing is foolproof/guarantees that the agent will honour this, but some mitigation is better than no mitigation at all. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
